Weird, self-replicating ‘TheMoon’ worm crawls into Linksys routers
By Lucian Constantin
A self-replicating program is infecting Linksys routers by exploiting an authentication bypass vulnerability in various models from the vendor’s E-Series product line.
Researchers from SANS Institute’s Internet Storm Center (ISC) issued an alert Wednesday about incidents where Linksys E1000 and E1200 routers had been compromised and were scanning other IP (Internet Protocol) address ranges on ports 80 and 8080. On Thursday the ISC researchers reported that they managed to capture the malware responsible for the scanning activity in one of their honeypots—systems intentionally left exposed to be attacked.
The attacks seems to be the result of a worm—a self-replicating program—that compromises Linksys routers and then uses those routers to scan for other vulnerable devices.
“At this point, we are aware of a worm that is spreading among various models of Linksys routers,” said Johannes Ullrich, the chief technology officer at SANS ISC, in a separate blog post. “We do not have a definite list of routers that are vulnerable, but the following routers may be vulnerable depending on firmware version: E4200b (pictured at top), E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000, E900.”
First worm on TheMoon
The worm, which has been dubbed TheMoon because it contains the logo of Lunar Industries, a fictitious company from the 2009 movie “The Moon,” begins by requesting a /HNAP1/ URL from devices behind the scanned IP addresses. HNAP—the Home Network Administration Protocol—was developed by Cisco and allows identification, configuration and management of networking devices.
The worm sends the HNAP request in order to identify the router’s model and firmware version. If it determines that a device is vulnerable, it sends another request to a particular CGI script that allows the execution of local commands on the device.
SANS has not disclosed the name of the CGI script because it contains an authentication bypass vulnerability. “The request does not require authentication,” Ullrich said. “The worm sends random ‘admin’ credentials but they are not checked by the script.”
The worm exploits this vulnerability to download and execute a binary file in ELF (Executable and Linkable) format compiled for the MIPS platform. When executed on a new router, this binary begins scanning for new devices to infect. It also opens an HTTP server on a random low-numbered port and uses it to serve a copy of itself to the newly identified targets.
The binary contains a hardcoded list of over 670 IP address ranges that it scans, Ullrich said. “All appear to be linked to cable or DSL modem ISPs in various countries.”
It’s not clear what the purpose of the malware is other than spreading to additional devices. There are some strings in the binary that suggest the existence of a command-and-control server, which would make the threat a botnet that attackers could control remotely.
Linksys is aware of the vulnerability in some E-Series routers and is working on a fix, said Mike Duin, a spokesman for Linksys owner Belkin, in an email Friday.
Ullrich outlined several mitigation strategies in comments to his blog post. First of all, routers that are not configured for remote administration are not directly exposed to this attack. If a router needs to be administered remotely, restricting access to the administrative interface by IP address will help reduce the risk, Ullrich said. Changing the port of the interface to something other than 80 or 8080, will also prevent this particular attack, he said.